String aliasName
String that contains the alias.
Constraints:
Length: 1 - 256
Pattern: ^[a-zA-Z0-9:/_-]+$
String aliasArn
String that contains the key ARN.
Constraints:
Length: 20 - 2048
String targetKeyId
String that contains the key identifier referred to by the alias.
Constraints:
Length: 1 - 256
String keyId
The unique identifier for the customer master key (CMK) for which to cancel deletion.
To specify this value, use the unique key ID or the Amazon Resource Name (ARN) of the CMK. Examples:
Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd- 56ef-1234567890ab
To obtain the unique key ID and key ARN for a given CMK, use ListKeys or DescribeKey.
Constraints:
Length: 1 - 256
String keyId
The unique identifier of the master key for which deletion is canceled.
Constraints:
Length: 1 - 256
String aliasName
String that contains the display name. The name must start with the word "alias" followed by a forward slash (alias/). Aliases that begin with "alias/AWS" are reserved.
Constraints:
Length: 1 - 256
Pattern: ^[a-zA-Z0-9:/_-]+$
String targetKeyId
An identifier of the key for which you are creating the alias. This value cannot be another alias but can be a globally unique identifier or a fully specified ARN to a key.
Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234 -1234-123456789012
Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
Constraints:
Length: 1 - 256
String keyId
The unique identifier for the customer master key (CMK) that the grant applies to.
To specify this value, use the globally unique key ID or the Amazon Resource Name (ARN) of the key. Examples:
Globally unique key ID: 12345678-1234-1234-1234-123456789012
Key ARN: arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234- 123456789012
Constraints:
Length: 1 - 256
String granteePrincipal
The principal that is given permission to perform the operations that the grant permits.
To specify the principal, use the Amazon Resource Name (ARN) of an AWS principal. Valid AWS principals include AWS accounts (root), IAM users, federated users, and assumed role users. For examples of the ARN syntax to use for specifying a principal, see AWS Identity and Access Management (IAM) in the Example ARNs section of the AWS General Reference.
Constraints:
Length: 1 - 256
String retiringPrincipal
The principal that is given permission to retire the grant by using RetireGrant operation.
To specify the principal, use the Amazon Resource Name (ARN) of an AWS principal. Valid AWS principals include AWS accounts (root), IAM users, federated users, and assumed role users. For examples of the ARN syntax to use for specifying a principal, see AWS Identity and Access Management (IAM) in the Example ARNs section of the AWS General Reference.
Constraints:
Length: 1 - 256
List<E> operations
A list of operations that the grant permits.
GrantConstraints constraints
The conditions under which the operations permitted by the grant are allowed.
You can use this value to allow the operations permitted by the grant only when a specified encryption context is present. For more information, see Encryption Context in the AWS Key Management Service Developer Guide.
List<E> grantTokens
A list of grant tokens.
For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.
String name
A friendly name for identifying the grant. Use this value to prevent unintended creation of duplicate grants when retrying this request.
When this value is absent, all CreateGrant requests result
in a new grant with a unique GrantId even if all the
supplied parameters are identical. This can result in unintended
duplicates when you retry the CreateGrant request.
When this value is present, you can retry a CreateGrant
request with identical parameters; if the grant already exists, the
original GrantId is returned without creating a new grant.
Note that the returned grant token is unique with every
CreateGrant request, even when a duplicate
GrantId is returned. All grant tokens obtained in this way
can be used interchangeably.
Constraints:
Length: 1 - 256
Pattern: ^[a-zA-Z0-9:/_-]+$
String grantToken
The grant token.
For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.
Constraints:
Length: 1 - 8192
String grantId
The unique identifier for the grant.
You can use the GrantId in a subsequent RetireGrant
or RevokeGrant operation.
Constraints:
Length: 1 - 128
String policy
The key policy to attach to the CMK.
If you specify a policy and do not set
BypassPolicyLockoutSafetyCheck to true, the policy must meet
the following criteria:
It must allow the principal making the CreateKey request to
make a subsequent PutKeyPolicy request on the CMK. This reduces
the likelihood that the CMK becomes unmanageable. For more information,
refer to the scenario in the Default Key Policy section in the AWS Key Management Service
Developer Guide.
The principal(s) specified in the key policy must exist and be visible to AWS KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before specifying the new principal in a key policy because the new principal might not immediately be visible to AWS KMS. For more information, see Changes that I make are not always immediately visible in the IAM User Guide.
If you do not specify a policy, AWS KMS attaches a default key policy to the CMK. For more information, see Default Key Policy in the AWS Key Management Service Developer Guide.
The policy size limit is 32 KiB (32768 bytes).
Constraints:
Length: 1 - 131072
Pattern: [ -ÿ]+
String description
A description of the CMK.
Use a description that helps you decide whether the CMK is appropriate for a task.
Constraints:
Length: 0 - 8192
String keyUsage
The intended use of the CMK.
You can use CMKs only for symmetric encryption and decryption.
Constraints:
Allowed Values: ENCRYPT_DECRYPT
String origin
The source of the CMK's key material.
The default is AWS_KMS, which means AWS KMS creates the key
material. When this parameter is set to EXTERNAL, the
request creates a CMK without key material so that you can import key
material from your existing key management infrastructure. For more
information about importing key material into AWS KMS, see Importing Key Material in the AWS Key Management Service
Developer Guide.
The CMK's Origin is immutable and is set when the CMK is
created.
Constraints:
Allowed Values: AWS_KMS, EXTERNAL
Boolean bypassPolicyLockoutSafetyCheck
A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the likelihood that the CMK becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
Use this parameter only when you include a policy in the request and you intend to prevent the principal making the request from making a subsequent PutKeyPolicy request on the CMK.
The default value is false.
KeyMetadata keyMetadata
Metadata associated with the CMK.
ByteBuffer ciphertextBlob
Ciphertext to be decrypted. The blob includes metadata.
Constraints:
Length: 1 - 6144
Map<K,V> encryptionContext
The encryption context. If this was specified in the Encrypt function, it must be specified here or the decryption operation will fail. For more information, see Encryption Context.
List<E> grantTokens
A list of grant tokens.
For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.
String keyId
ARN of the key used to perform the decryption. This value is returned if no errors are encountered during the operation.
Constraints:
Length: 1 - 256
ByteBuffer plaintext
Decrypted plaintext data. This value may not be returned if the customer master key is not available or if you didn't have permission to use it.
Constraints:
Length: 1 - 4096
String aliasName
The alias to be deleted. The name must start with the word "alias" followed by a forward slash (alias/). Aliases that begin with "alias/AWS" are reserved.
Constraints:
Length: 1 - 256
Pattern: ^[a-zA-Z0-9:/_-]+$
String keyId
The identifier of the CMK whose key material to delete. The CMK's
Origin must be EXTERNAL.
A valid identifier is the unique key ID or the Amazon Resource Name (ARN) of the CMK. Examples:
Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Constraints:
Length: 1 - 256
String keyId
A unique identifier for the customer master key. This value can be a globally unique identifier, a fully specified ARN to either an alias or a key, or an alias name prefixed by "alias/".
Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234 -1234-123456789012
Alias ARN Example - arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
Alias Name Example - alias/MyAliasName
Constraints:
Length: 1 - 256
List<E> grantTokens
A list of grant tokens.
For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.
KeyMetadata keyMetadata
Metadata associated with the key.
String keyId
A unique identifier for the CMK.
Use the CMK's unique identifier or its Amazon Resource Name (ARN). For example:
Unique ID: 1234abcd-12ab-34cd-56ef-1234567890ab
ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd- 56ef-1234567890ab
Constraints:
Length: 1 - 256
String keyId
A unique identifier for the customer master key. This value can be a globally unique identifier or the fully specified ARN to a key.
Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234 -1234-123456789012
Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
Constraints:
Length: 1 - 256
String keyId
A unique identifier for the customer master key. This value can be a globally unique identifier or the fully specified ARN to a key.
Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234 -1234-123456789012
Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
Constraints:
Length: 1 - 256
String keyId
A unique identifier for the customer master key. This value can be a globally unique identifier or the fully specified ARN to a key.
Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234 -1234-123456789012
Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
Constraints:
Length: 1 - 256
String keyId
A unique identifier for the customer master key. This value can be a globally unique identifier, a fully specified ARN to either an alias or a key, or an alias name prefixed by "alias/".
Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234 -1234-123456789012
Alias ARN Example - arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
Alias Name Example - alias/MyAliasName
Constraints:
Length: 1 - 256
ByteBuffer plaintext
Data to be encrypted.
Constraints:
Length: 1 - 4096
Map<K,V> encryptionContext
Name-value pair that specifies the encryption context to be used for
authenticated encryption. If used here, the same value must be supplied
to the Decrypt API or decryption will fail. For more
information, see Encryption Context.
List<E> grantTokens
A list of grant tokens.
For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.
ByteBuffer ciphertextBlob
The encrypted plaintext. If you are using the CLI, the value is Base64 encoded. Otherwise, it is not encoded.
Constraints:
Length: 1 - 6144
String keyId
The ID of the key used during encryption.
Constraints:
Length: 1 - 256
String keyId
The identifier of the CMK under which to generate and encrypt the data encryption key.
A valid identifier is the unique key ID or the Amazon Resource Name (ARN) of the CMK, or the alias name or ARN of an alias that refers to the CMK. Examples:
Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
CMK ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Alias name: alias/ExampleAlias
Alias ARN:
arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
Constraints:
Length: 1 - 256
Map<K,V> encryptionContext
A set of key-value pairs that represents additional authenticated data.
For more information, see Encryption Context in the AWS Key Management Service Developer Guide.
Integer numberOfBytes
The length of the data encryption key in bytes. For example, use the
value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
common key lengths (128-bit and 256-bit symmetric keys), we recommend
that you use the KeySpec field instead of this one.
Constraints:
Range: 1 - 1024
String keySpec
The length of the data encryption key. Use AES_128 to
generate a 128-bit symmetric key, or AES_256 to generate a
256-bit symmetric key.
Constraints:
Allowed Values: AES_256, AES_128
List<E> grantTokens
A list of grant tokens.
For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.
ByteBuffer ciphertextBlob
The encrypted data encryption key.
Constraints:
Length: 1 - 6144
ByteBuffer plaintext
The data encryption key. Use this data key for local encryption and decryption, then remove it from memory as soon as possible.
Constraints:
Length: 1 - 4096
String keyId
The identifier of the CMK under which the data encryption key was generated and encrypted.
Constraints:
Length: 1 - 256
String keyId
The identifier of the CMK under which to generate and encrypt the data encryption key.
A valid identifier is the unique key ID or the Amazon Resource Name (ARN) of the CMK, or the alias name or ARN of an alias that refers to the CMK. Examples:
Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
CMK ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Alias name: alias/ExampleAlias
Alias ARN:
arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
Constraints:
Length: 1 - 256
Map<K,V> encryptionContext
A set of key-value pairs that represents additional authenticated data.
For more information, see Encryption Context in the AWS Key Management Service Developer Guide.
String keySpec
The length of the data encryption key. Use AES_128 to
generate a 128-bit symmetric key, or AES_256 to generate a
256-bit symmetric key.
Constraints:
Allowed Values: AES_256, AES_128
Integer numberOfBytes
The length of the data encryption key in bytes. For example, use the
value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
common key lengths (128-bit and 256-bit symmetric keys), we recommend
that you use the KeySpec field instead of this one.
Constraints:
Range: 1 - 1024
List<E> grantTokens
A list of grant tokens.
For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.
ByteBuffer ciphertextBlob
The encrypted data encryption key.
Constraints:
Length: 1 - 6144
String keyId
The identifier of the CMK under which the data encryption key was generated and encrypted.
Constraints:
Length: 1 - 256
Integer numberOfBytes
The length of the byte string.
Constraints:
Range: 1 - 1024
ByteBuffer plaintext
The unpredictable byte string.
Constraints:
Length: 1 - 4096
String keyId
A unique identifier for the customer master key. This value can be a globally unique identifier or the fully specified ARN to a key.
Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234 -1234-123456789012
Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
Constraints:
Length: 1 - 256
String policyName
String that contains the name of the policy. Currently, this must be "default". Policy names can be discovered by calling ListKeyPolicies.
Constraints:
Length: 1 - 128
Pattern: [\w]+
String policy
A policy document in JSON format.
Constraints:
Length: 1 - 131072
Pattern: [ -ÿ]+
String keyId
A unique identifier for the customer master key. This value can be a globally unique identifier or the fully specified ARN to a key.
Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234 -1234-123456789012
Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
Constraints:
Length: 1 - 256
Boolean keyRotationEnabled
A Boolean value that specifies whether key rotation is enabled.
String keyId
The identifier of the CMK into which you will import key material. The
CMK's Origin must be EXTERNAL.
A valid identifier is the unique key ID or the Amazon Resource Name (ARN) of the CMK. Examples:
Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Constraints:
Length: 1 - 256
String wrappingAlgorithm
The algorithm you will use to encrypt the key material before importing it with ImportKeyMaterial. For more information, see Encrypt the Key Material in the AWS Key Management Service Developer Guide.
Constraints:
Allowed Values: RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1,
RSAES_OAEP_SHA_256
String wrappingKeySpec
The type of wrapping key (public key) to return in the response. Only 2048-bit RSA public keys are supported.
Constraints:
Allowed Values: RSA_2048
String keyId
The identifier of the CMK to use in a subsequent ImportKeyMaterial
request. This is the same CMK specified in the
GetParametersForImport request.
Constraints:
Length: 1 - 256
ByteBuffer importToken
The import token to send in a subsequent ImportKeyMaterial request.
Constraints:
Length: 1 - 6144
ByteBuffer publicKey
The public key to use to encrypt the key material before importing it with ImportKeyMaterial.
Constraints:
Length: 1 - 4096
Date parametersValidTo
The time at which the import token and public key are no longer valid.
After this time, you cannot use them to make an ImportKeyMaterial
request and you must send another GetParametersForImport
request to retrieve new ones.
Map<K,V> encryptionContextSubset
Contains a list of key-value pairs, a subset of which must be present in the encryption context of a subsequent operation permitted by the grant. When a subsequent operation permitted by the grant includes an encryption context that matches this list or is a subset of this list, the grant allows the operation. Otherwise, the operation is not allowed.
Map<K,V> encryptionContextEquals
Contains a list of key-value pairs that must be present in the encryption context of a subsequent operation permitted by the grant. When a subsequent operation permitted by the grant includes an encryption context that matches this list, the grant allows the operation. Otherwise, the operation is not allowed.
String keyId
The unique identifier for the customer master key (CMK) to which the grant applies.
Constraints:
Length: 1 - 256
String grantId
The unique identifier for the grant.
Constraints:
Length: 1 - 128
String name
The friendly name that identifies the grant. If a name was provided in the CreateGrant request, that name is returned. Otherwise this value is null.
Constraints:
Length: 1 - 256
Pattern: ^[a-zA-Z0-9:/_-]+$
Date creationDate
The date and time when the grant was created.
String granteePrincipal
The principal that receives the grant's permissions.
Constraints:
Length: 1 - 256
String retiringPrincipal
The principal that can retire the grant.
Constraints:
Length: 1 - 256
String issuingAccount
The AWS account under which the grant was issued.
Constraints:
Length: 1 - 256
List<E> operations
The list of operations permitted by the grant.
GrantConstraints constraints
The conditions under which the grant's operations are allowed.
String keyId
The identifier of the CMK to import the key material into. The CMK's
Origin must be EXTERNAL.
A valid identifier is the unique key ID or the Amazon Resource Name (ARN) of the CMK. Examples:
Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Constraints:
Length: 1 - 256
ByteBuffer importToken
The import token that you received in the response to a previous GetParametersForImport request. It must be from the same response that contained the public key that you used to encrypt the key material.
Constraints:
Length: 1 - 6144
ByteBuffer encryptedKeyMaterial
The encrypted key material to import. It must be encrypted with the public key that you received in the response to a previous GetParametersForImport request, using the wrapping algorithm that you specified in that request.
Constraints:
Length: 1 - 6144
Date validTo
The time at which the imported key material expires. When the key
material expires, AWS KMS deletes the key material and the CMK becomes
unusable. You must omit this parameter when the
ExpirationModel parameter is set to
KEY_MATERIAL_DOES_NOT_EXPIRE. Otherwise it is required.
String expirationModel
Specifies whether the key material expires. The default is
KEY_MATERIAL_EXPIRES, in which case you must include the
ValidTo parameter. When this parameter is set to
KEY_MATERIAL_DOES_NOT_EXPIRE, you must omit the
ValidTo parameter.
Constraints:
Allowed Values: KEY_MATERIAL_EXPIRES, KEY_MATERIAL_DOES_NOT_EXPIRE
String aWSAccountId
The twelve-digit account ID of the AWS account that owns the CMK.
String keyId
The globally unique identifier for the CMK.
Constraints:
Length: 1 - 256
String arn
The Amazon Resource Name (ARN) of the CMK. For examples, see AWS Key Management Service (AWS KMS) in the Example ARNs section of the AWS General Reference.
Constraints:
Length: 20 - 2048
Date creationDate
The date and time when the CMK was created.
Boolean enabled
Specifies whether the CMK is enabled. When KeyState is
Enabled this value is true, otherwise it is false.
String description
The description of the CMK.
Constraints:
Length: 0 - 8192
String keyUsage
String keyState
The state of the CMK.
For more information about how key state affects the use of a CMK, see How Key State Affects the Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Constraints:
Allowed Values: Enabled, Disabled, PendingDeletion, PendingImport
Date deletionDate
The date and time after which AWS KMS deletes the CMK. This value is
present only when KeyState is PendingDeletion,
otherwise this value is omitted.
Date validTo
The time at which the imported key material expires. When the key
material expires, AWS KMS deletes the key material and the CMK becomes
unusable. This value is present only for CMKs whose Origin
is EXTERNAL and whose ExpirationModel is
KEY_MATERIAL_EXPIRES, otherwise this value is omitted.
String origin
The source of the CMK's key material. When this value is
AWS_KMS, AWS KMS created the key material. When this value
is EXTERNAL, the key material was imported from your
existing key management infrastructure or the CMK lacks key material.
Constraints:
Allowed Values: AWS_KMS, EXTERNAL
String expirationModel
Specifies whether the CMK's key material expires. This value is present
only when Origin is EXTERNAL, otherwise this
value is omitted.
Constraints:
Allowed Values: KEY_MATERIAL_EXPIRES, KEY_MATERIAL_DOES_NOT_EXPIRE
Integer limit
When paginating results, specify the maximum number of items to return in
the response. If additional items exist beyond the number you specify,
the Truncated element in the response is set to true.
This value is optional. If you include a value, it must be between 1 and 100, inclusive. If you do not include a value, it defaults to 50.
Constraints:
Range: 1 - 1000
String marker
Use this parameter only when paginating results and only in a subsequent
request after you receive a response with truncated results. Set it to
the value of NextMarker from the response you just received.
Constraints:
Length: 1 - 320
Pattern: [ -ÿ]*
List<E> aliases
A list of key aliases in the user's account.
String nextMarker
When Truncated is true, this value is present and contains
the value to use for the Marker parameter in a subsequent
pagination request.
Constraints:
Length: 1 - 320
Pattern: [ -ÿ]*
Boolean truncated
A flag that indicates whether there are more items in the list. If your
results were truncated, you can use the Marker parameter to
make a subsequent pagination request to retrieve more items in the list.
Integer limit
When paginating results, specify the maximum number of items to return in
the response. If additional items exist beyond the number you specify,
the Truncated element in the response is set to true.
This value is optional. If you include a value, it must be between 1 and 100, inclusive. If you do not include a value, it defaults to 50.
Constraints:
Range: 1 - 1000
String marker
Use this parameter only when paginating results and only in a subsequent
request after you receive a response with truncated results. Set it to
the value of NextMarker from the response you just received.
Constraints:
Length: 1 - 320
Pattern: [ -ÿ]*
String keyId
A unique identifier for the customer master key. This value can be a globally unique identifier or the fully specified ARN to a key.
Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234 -1234-123456789012
Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
Constraints:
Length: 1 - 256
List<E> grants
A list of grants.
String nextMarker
When Truncated is true, this value is present and contains
the value to use for the Marker parameter in a subsequent
pagination request.
Constraints:
Length: 1 - 320
Pattern: [ -ÿ]*
Boolean truncated
A flag that indicates whether there are more items in the list. If your
results were truncated, you can use the Marker parameter to
make a subsequent pagination request to retrieve more items in the list.
String keyId
A unique identifier for the customer master key (CMK). You can use the unique key ID or the Amazon Resource Name (ARN) of the CMK. Examples:
Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Constraints:
Length: 1 - 256
Integer limit
When paginating results, specify the maximum number of items to return in
the response. If additional items exist beyond the number you specify,
the Truncated element in the response is set to true.
This value is optional. If you include a value, it must be between 1 and 1000, inclusive. If you do not include a value, it defaults to 100.
Currently only 1 policy can be attached to a key.
Constraints:
Range: 1 - 1000
String marker
Use this parameter only when paginating results and only in a subsequent
request after you receive a response with truncated results. Set it to
the value of NextMarker from the response you just received.
Constraints:
Length: 1 - 320
Pattern: [ -ÿ]*
List<E> policyNames
A list of policy names. Currently, there is only one policy and it is named "Default".
String nextMarker
When Truncated is true, this value is present and contains
the value to use for the Marker parameter in a subsequent
pagination request.
Constraints:
Length: 1 - 320
Pattern: [ -ÿ]*
Boolean truncated
A flag that indicates whether there are more items in the list. If your
results were truncated, you can use the Marker parameter to
make a subsequent pagination request to retrieve more items in the list.
Integer limit
When paginating results, specify the maximum number of items to return in
the response. If additional items exist beyond the number you specify,
the Truncated element in the response is set to true.
This value is optional. If you include a value, it must be between 1 and 1000, inclusive. If you do not include a value, it defaults to 100.
Constraints:
Range: 1 - 1000
String marker
Use this parameter only when paginating results and only in a subsequent
request after you receive a response with truncated results. Set it to
the value of NextMarker from the response you just received.
Constraints:
Length: 1 - 320
Pattern: [ -ÿ]*
List<E> keys
A list of keys.
String nextMarker
When Truncated is true, this value is present and contains
the value to use for the Marker parameter in a subsequent
pagination request.
Constraints:
Length: 1 - 320
Pattern: [ -ÿ]*
Boolean truncated
A flag that indicates whether there are more items in the list. If your
results were truncated, you can use the Marker parameter to
make a subsequent pagination request to retrieve more items in the list.
Integer limit
When paginating results, specify the maximum number of items to return in
the response. If additional items exist beyond the number you specify,
the Truncated element in the response is set to true.
This value is optional. If you include a value, it must be between 1 and 100, inclusive. If you do not include a value, it defaults to 50.
Constraints:
Range: 1 - 1000
String marker
Use this parameter only when paginating results and only in a subsequent
request after you receive a response with truncated results. Set it to
the value of NextMarker from the response you just received.
Constraints:
Length: 1 - 320
Pattern: [ -ÿ]*
String retiringPrincipal
The retiring principal for which to list grants.
To specify the retiring principal, use the Amazon Resource Name (ARN) of an AWS principal. Valid AWS principals include AWS accounts (root), IAM users, federated users, and assumed role users. For examples of the ARN syntax for specifying a principal, see AWS Identity and Access Management (IAM) in the Example ARNs section of the Amazon Web Services General Reference.
Constraints:
Length: 1 - 256
List<E> grants
A list of grants.
String nextMarker
When Truncated is true, this value is present and contains
the value to use for the Marker parameter in a subsequent
pagination request.
Constraints:
Length: 1 - 320
Pattern: [ -ÿ]*
Boolean truncated
A flag that indicates whether there are more items in the list. If your
results were truncated, you can use the Marker parameter to
make a subsequent pagination request to retrieve more items in the list.
String keyId
A unique identifier for the CMK.
Use the CMK's unique identifier or its Amazon Resource Name (ARN). For example:
Unique ID: 1234abcd-12ab-34cd-56ef-1234567890ab
ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd- 56ef-1234567890ab
Constraints:
Length: 1 - 256
String policyName
The name of the key policy.
This value must be default.
Constraints:
Length: 1 - 128
Pattern: [\w]+
String policy
The key policy to attach to the CMK.
If you do not set BypassPolicyLockoutSafetyCheck to true,
the policy must meet the following criteria:
It must allow the principal making the PutKeyPolicy request
to make a subsequent PutKeyPolicy request on the CMK. This
reduces the likelihood that the CMK becomes unmanageable. For more
information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service
Developer Guide.
The principal(s) specified in the key policy must exist and be visible to AWS KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before specifying the new principal in a key policy because the new principal might not immediately be visible to AWS KMS. For more information, see Changes that I make are not always immediately visible in the IAM User Guide.
The policy size limit is 32 KiB (32768 bytes).
Constraints:
Length: 1 - 131072
Pattern: [ -ÿ]+
Boolean bypassPolicyLockoutSafetyCheck
A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the likelihood that the CMK becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
Use this parameter only when you intend to prevent the principal making
the request from making a subsequent PutKeyPolicy request on
the CMK.
The default value is false.
ByteBuffer ciphertextBlob
Ciphertext of the data to reencrypt.
Constraints:
Length: 1 - 6144
Map<K,V> sourceEncryptionContext
Encryption context used to encrypt and decrypt the data specified in the
CiphertextBlob parameter.
String destinationKeyId
A unique identifier for the CMK to use to reencrypt the data. This value can be a globally unique identifier, a fully specified ARN to either an alias or a key, or an alias name prefixed by "alias/".
Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234 -1234-123456789012
Alias ARN Example - arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
Alias Name Example - alias/MyAliasName
Constraints:
Length: 1 - 256
Map<K,V> destinationEncryptionContext
Encryption context to use when the data is reencrypted.
List<E> grantTokens
A list of grant tokens.
For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.
ByteBuffer ciphertextBlob
The reencrypted data.
Constraints:
Length: 1 - 6144
String sourceKeyId
Unique identifier of the CMK used to originally encrypt the data.
Constraints:
Length: 1 - 256
String keyId
Unique identifier of the CMK used to reencrypt the data.
Constraints:
Length: 1 - 256
String grantToken
Token that identifies the grant to be retired.
Constraints:
Length: 1 - 8192
String keyId
The Amazon Resource Name of the CMK associated with the grant. Example:
arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd- 56ef-1234567890ab
Constraints:
Length: 1 - 256
String grantId
Unique identifier of the grant to retire. The grant ID is returned in the
response to a CreateGrant operation.
Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123
Constraints:
Length: 1 - 128
String keyId
A unique identifier for the customer master key associated with the grant. This value can be a globally unique identifier or the fully specified ARN to a key.
Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234 -1234-123456789012
Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
Constraints:
Length: 1 - 256
String grantId
Identifier of the grant to be revoked.
Constraints:
Length: 1 - 128
String keyId
The unique identifier for the customer master key (CMK) to delete.
To specify this value, use the unique key ID or the Amazon Resource Name (ARN) of the CMK. Examples:
Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd- 56ef-1234567890ab
To obtain the unique key ID and key ARN for a given CMK, use ListKeys or DescribeKey.
Constraints:
Length: 1 - 256
Integer pendingWindowInDays
The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the customer master key (CMK).
This value is optional. If you include a value, it must be between 7 and 30, inclusive. If you do not include a value, it defaults to 30.
Constraints:
Range: 1 - 365
String aliasName
String that contains the name of the alias to be modified. The name must start with the word "alias" followed by a forward slash (alias/). Aliases that begin with "alias/aws" are reserved.
Constraints:
Length: 1 - 256
Pattern: ^[a-zA-Z0-9:/_-]+$
String targetKeyId
Unique identifier of the customer master key to be mapped to the alias. This value can be a globally unique identifier or the fully specified ARN of a key.
Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234 -1234-123456789012
Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
You can call ListAliases to verify that the alias is mapped to the
correct TargetKeyId.
Constraints:
Length: 1 - 256
String keyId
A unique identifier for the CMK. This value can be a globally unique identifier or the fully specified ARN to a key.
Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234 -1234-123456789012
Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
Constraints:
Length: 1 - 256
String description
New description for the CMK.
Constraints:
Length: 0 - 8192
Copyright © 2018. All rights reserved.